meduza | ca54bdbbd6238be2040eb965561f078e573569d8d2fa0756d02e2795276c62bf

Analysis

max time kernel
220s
max time network
221s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kraken.exe
Size

3.7MB
MD5

2efb1d6f632c13e3be57d710f190f8d0
SHA1

19437cafa11c6ae5fa27e35de3369cf0817a7dbb
SHA256

ca54bdbbd6238be2040eb965561f078e573569d8d2fa0756d02e2795276c62bf
SHA512

ae3a3fa1c142c5d57f641da0941364189ffe01daac6a4739d5d84508f0461451ef4c818cc1164d9cfab3ddbc6f613f94e26046fd7d613e42a7ec858dec29b38b
SSDEEP

49152:PQusxfstVERf60TI/s4U/cAjuvWjbQVLu3:gCu3

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
444
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 46 IoCs

resource	yara_rule
behavioral1/memory/2728-0-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-7-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-8-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-13-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-14-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-19-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-21-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-16-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-15-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-12-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-6-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-1-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-5-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-2-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-29-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-28-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-33-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-32-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-34-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-36-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-40-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-41-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-39-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-35-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-71-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-82-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-84-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-91-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-77-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-76-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-73-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-70-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-65-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-64-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-59-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-55-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-53-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-52-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-49-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-47-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-43-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-58-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-46-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-42-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-94-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza
behavioral1/memory/2728-95-0x0000000140000000-0x00000001401FA000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\Control Panel\International\Geo\Nation	Kraken.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3372 set thread context of 2728	3372	Kraken.exe	81

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1684	cmd.exe
4104	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769105119141189"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4104	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2728	Kraken.exe
2728	Kraken.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe
396	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Kraken.exe
Token: SeImpersonatePrivilege	2728	Kraken.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe
Token: SeShutdownPrivilege	2908	chrome.exe
Token: SeCreatePagefilePrivilege	2908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe
2908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 3372 wrote to memory of 2728	3372	Kraken.exe	81
PID 2728 wrote to memory of 1684	2728	Kraken.exe	89
PID 2728 wrote to memory of 1684	2728	Kraken.exe	89
PID 1684 wrote to memory of 4104	1684	cmd.exe	91
PID 1684 wrote to memory of 4104	1684	cmd.exe	91
PID 2908 wrote to memory of 2108	2908	chrome.exe	95
PID 2908 wrote to memory of 2108	2908	chrome.exe	95
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 748	2908	chrome.exe	96
PID 2908 wrote to memory of 740	2908	chrome.exe	97
PID 2908 wrote to memory of 740	2908	chrome.exe	97
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98
PID 2908 wrote to memory of 376	2908	chrome.exe	98

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-584106483-899802418-1877852863-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Kraken.exe

C:\Users\Admin\AppData\Local\Temp\Kraken.exe
"C:\Users\Admin\AppData\Local\Temp\Kraken.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\Kraken.exe
  C:\Users\Admin\AppData\Local\Temp\Kraken.exe
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2728
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Kraken.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffe7549cc40,0x7ffe7549cc4c,0x7ffe7549cc58
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1596,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2284,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=504,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5340,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1076,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=904,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5424,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4772,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5464,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3296,i,5001857239971631973,126712929513662264,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4840

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:68

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
340d652dc9da3e86010c758fe9bb2744

SHA1
a4826e387e51f753ab5c859d428b90fd9536b87f

SHA256
5f07fb18353cebbc6b681351f86864ce4f7e05cf8a5b0bd1b94e303df0cbf954

SHA512
e49557e4fe91fecb47567e868875cbf5df469e0a652f0f793ba498f3b7c651377861f89a817c02e0d3bb25f690ed87be4ce66e77a6c2f4d1c9c8ea3fa6a671a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
39957d8d32a3e635564d13682b70c653

SHA1
438fd9accab688a962ed8e0f025c20de91911ac9

SHA256
54aa5a8b3ef846b24b54cff8e98d4e612b6d44263422e23f4dfc0d1de3c3552c

SHA512
2991d1b8acb6d597cf21b5404e7e9a4be5e71c8fe85a26edf9bff6493c754ba5d20d192d56440d9311add4a88836ca9f7c2d8867097d791aee85535495a7d255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
1e979da83e87478a54be4880f20322eb

SHA1
f86f51d0a2ba4b93fcfd2b7983467eeb1ff9f2b3

SHA256
8b9d85e32713a0c69e3625d4ca31073dbc70cfc48c8e9bc4bffb83d4727a1ebe

SHA512
a783b471277a33ebb67defe32c1f9c2a2171f69bdd871fc166723a62881b37bbcf74721f257fc3bd2259bd18a39b75bc0274388ddedd8ff53ae56cdfdc7ec5fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cd6a504cc34bb2861db37ed2d51f42f5

SHA1
154a4bb514ab0da67413f5359ed6d6badff0aa14

SHA256
980ff9cb77ddd3efa94a827fee0c7511441ec2b48a66e8a442ef6aab7267e86f

SHA512
31746ad22bef74e8675bca940af999fde82e2ab3701187a782643201bbe6993d782ddcc79f3d127f26bab3ddf05158d3ec7c771f69e175fade099a7023b54a88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
22504ddc16feb15960d80364e7a4ab4f

SHA1
fa82936a3433ed90f7d0d1cc4336ba19b0291488

SHA256
d29a88095be86ac62baca32bc04c6ad738ea1d56ada0dcced4184413576b6bd0

SHA512
9850361005a37b7aa0a7408bbbbeccf74be5be09fa07dd96b259d6208e152a68dbb20954349a8519015e1f4dec15110f4fafbb1ddef37389410f424604e981ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6143d661ec990cdf1e41105947cd079c

SHA1
01ee260e40a7438fe09a004080bdf131d7a72be7

SHA256
5cb94acde0572bb4f5354b31969e9d15fcd11f541969e37dce6bf7a03810f8c4

SHA512
1861675973d97b836a028b1bc54d207bf6cd0413aeea422a9ee0cb5f412fbdbed4b4723c49cf172a1331964525ce58a8620ca7644368a89ab6fb78c9840a7a31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
25dc591300562a76b655affecb5de85f

SHA1
ae378c9c03b6c3eada5721e352e97390ca1d2c07

SHA256
c534993253749046876fe7a9095e029722ff5e689013fed183db8457a0837752

SHA512
a6d5ea45d74887efeddc799afb58c78409e27c784507c4ed799bb933fc77c8f4b9285919edce47e49d289a5d69937195f53ea31304e78bb8d7c323177556c5d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5a08ad664e843a7981e906661afd0a40

SHA1
9214663a312d8ddf4b2b8f4725da136880553d2c

SHA256
6bc2a7a9c9fe2d8ddde4220d5f86ce6d3e7ed75fa06648cab3ff661b08755267

SHA512
78e1b13954e58418ddd57925b21c8cf15476c218027081d3ad80e03e1f2cf6889cb6c8d3a80ef5767b1665be548094a70c7c658677f0fcd164071bce6e4144a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7d48ce16ca4866f0aedd0f76dd20e3d1

SHA1
317653b5a8a581e774859c113287c3ff451217b6

SHA256
2378d618718b3cef1382a4eed2ae1820322f60eb215cc04f741c9323786249f4

SHA512
35e7794369e50abaf1120e716201eefb9b39008df4de47f937852e3d6ffd629b2c0b59e0aaf6f11fe9d63582cd60607607326e09a9a3084ebcb3379431bd786e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
38c1365cecf8ae6c829fd12de2a91040

SHA1
16af07ad62ca3fbaef86c110b76d8f7b745d0249

SHA256
d1f3b0431552ac88aa21bf3579831bc8fdb7a3d37f70f53c82e9ade4baff257a

SHA512
e6c9c1a230f57e6df22ab39232bd112f40ee6962080141d42b0c69995c7033264ef48b9efb13ab8729a4afad4d4a5b45f8ea37355d94a85a60f615312955ec21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6ec1d1a4e16d670def13ea6af86e957

SHA1
b2f545a5065ed884cfb214cd64f5c2ba6306f9ec

SHA256
6a07f72065873f383f574c720a43b321b6c5b1c9b9df1bbd66d12730cd08a325

SHA512
8ebeca330570e8af6795dc5d6891c2dd1bbb2b095b4f70e9678e0b6409bebdcd3ad7d6fc9b25f55debf4fa14408670d4da9a0f1fc9289966a567711c58906ec0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f48071dea4ed51be72c09823dc26fa78

SHA1
4dfec57d4cb42f0f7b97221f26e785a842a4526d

SHA256
6ec14a917c45cae69d462c2372f4696cd3ccb7d8ea2d881f2b89e914841d737d

SHA512
0844def24955d7cfed4858902f9af5a368ecd51dc5e91013c14b0590e82aab3b269ecc1ba22ccb54cbb1f7207ab65a448a045d571b177b1b4e930a7b8d3d91d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
711d5efd1961ab56b1058b411dfc60ee

SHA1
805d811dc439a537887f6b19f99b4c9c5009f7f6

SHA256
7ab45f81d0bf2b874d021114825192b3a83490bae1d3a1edd0a8fabc476e83eb

SHA512
d87a681ea286edee4dee99a56890886438f8eea7647456b11c5b5c37edd689eea1c248c9f2b61c2a262bc773966335f525463a9758751a5c4d2c3b0cb8510a7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c43b136952461f828ea0d41f9556798d

SHA1
f5b1ecedcf555ef52f7a7dde9ea770579899c584

SHA256
af74b8735150a0febd89de73dc5480cfd7f30ba573cb4851491960d826bd0c71

SHA512
41f48f374c9d5763e331473022a1c5d6320a92919049e4784037c5f264b404b6ffabae53f181ee1346c3cd8de75bb951bab2ba1bdcfe65b40982bbeb1297593a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
297448b386445054663ff4719f8b48f2

SHA1
fb582c61ab093761557a7fc0c430a2e88dab3b91

SHA256
2c4eeddea2406b5526d3ad530459bfec8467b1255409c8794bdf799c7cc59379

SHA512
95f1d872d0bd41de5d2af0ed7130eb7c8094ac1cd773838fd4b3104d5cf913bb0d3a4b6602ad1a211b844a036204c60cdaf9e2f3b5341c64292f43286a034435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
59b0ce37df48f562ca9eda875be1e3cf

SHA1
a8b6cba147d11d3c6139dbd085239b135d89635d

SHA256
c8835cb93262d4009abc0c5ba859e7b835ce4416590c716b717257f7b125cbc2

SHA512
40e459b1c57a6ecb582b9dcf1f433514f60f9152712b04b9237301c878d781cc9bd1e226869d62ec971fa02bbaffa8502ff1e7e139b84937203736d58db3426e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be9229ec5162b52b38d8358ce040aef0

SHA1
78fd592d450d61dbfd2eafe79a4e2206ff30cbf0

SHA256
9ddc00c72adb794d964f7499f93f6214c6ce18b1a14250ca1e243141ffa61088

SHA512
ec6f154c210d39e7acd5eb4272f3e0838f6786e80c0729279c26c9e10b31ad4b3ccc9c5217657f654ab367489cd4aa4f9e6a536c15369a620b152a04c2f86c2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
23da069255647d395ceda6a066288a16

SHA1
afa78ada503e9219e06ec982cc5816e87d72843f

SHA256
e4d3c12ad6c57d5d2b6e306cc574a886b7859ad53da2ed885708c5aade0fdd97

SHA512
615e8717f3ef67ed2c4c530075a01b3d5e3e6c7c699bf191c61d640e969cdd7b021b9d7e19259c3af62ec49959dcbc3f3faf4c481005177da7545769878b2600

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bc6becfae98ddb744f808aa1dde84e33

SHA1
2e53900ddc7ed9cee2cd778a2147320de7e2300e

SHA256
869a62e274233c4407aa07b1e8962d6811691905484742be565f7e33d0261e5e

SHA512
f01d67e35ca1bad6f5449d050eaf078282c7bc71c86523fc5734aef9d2469b3900e495f24cbcd66de1d4bb36bcda23cbcdaa6e4d1bfedde3a59d3090f23d25f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b3d7be1fc441ce1d5127a72ef4244de

SHA1
a6a71bc8c413aa930d0f59f18ec641081049f858

SHA256
9b7e46e3a0cf84c1d71695d6ca854250c615d675dace1b641a7f6d652fa2f8e0

SHA512
d76b7f37fe29f62bc69ea91493827407030ac80553203b1560ede54f6e4a9c6aea3f61f074e3dfa10394de25b2dda1b4899e1702c73daeba06dc07fcb810febd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4304aff8e01a8eba4d13f10731a058ee

SHA1
d58e0c1cd813b941fa79a618c78167e442b31af0

SHA256
bdc664878764b0dcba25d09bca76e78c556ce9ab9c81d7283b5a4f699f819154

SHA512
87e1f780bd7b038ab6580580a860a0316f5dc1ef9d34e94aaafe3778be543bdeb0848f98bc8128a65e81a30d99b6432fb2a76aab77d6b7c2328ae44855345f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1b1c7197296aa9729844ec6309661767

SHA1
e55ac9e6f6ac3e0a08fd802796e48650fa0a3a9d

SHA256
90153ace96bb74e0de80e4905a23cf11b0607392e0616ba9dafe3699309b2432

SHA512
52dfe21adb91f61c4c42336db681239fd70b8e04f5997c221faa955dff54e9d33d89cf4950d1cc587b52a8d932802b95eae55263347fea36bf0ab7eabe89ada4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
be04f15a1eb36e5fb58c17c5a7c4d0a9

SHA1
0b9c488c1864386318e255e3db9a2d75608777ba

SHA256
f9ce2757b72ea96444136e18fb23d2ea7d8968a1e7d929676da2b94a28ea7d71

SHA512
359a91156d9b217e342870478064f8b2dcac477a181b6d967d8d0d64c8b302e1c68bbd8b8e2aa02ac271dc75c7e804e71198115f420ed73f3bb63458ce0c2609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
3873ecba1da34a94b982053ce1bec7f5

SHA1
86f6f604ab9ad311dd90b90ff5cc512a0d8e7c4c

SHA256
545d48a47cae58867da89e0dd34ec6daa3de9b38cdea2d040c0ba9ba90ea7d7a

SHA512
707c78800e5d659f0e8fee36bd2f8d2fef83e977c15f551bf5226e25f38937b3e9c1f1ac75c5f93a6d95c7f882eca0dab63354f4dc2023aae381b63b3f2d1876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
268KB

MD5
d80d8008c130b4d7305a1287607cd884

SHA1
8443262500dc6cd6db18acd14cb1dffbbc6b399f

SHA256
b43e879b71e9453b147f3826dbea4d61b0b41be0475c2d0d1f885ce8cc59e09e

SHA512
72410a2785db482264c0c30ac95e1413238b617ba5db98e9e24560a0107785f3800e3578e7c87516a9148fe63249f25a1ee256b39ec6965882a7bc61075ece11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
6581a4b6025fbebc3bea12e056665ce3

SHA1
ad6b7a1bf3a13252ec0e515292d800113c35ca18

SHA256
7cb06640a9f4ca15a4131f4e645ac509be54e1d0c569e0d18569bedb5f4a8b51

SHA512
9a6e27a832814c0d912b5b8f7a5dc4dd291e1f774adee2f13e85f35f82d4d42d4502130735a676b3ba06612bb7e8cb2c0b293cf75a1a2b72b22f48e72bf857f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
120KB

MD5
552e9dc4d4c8d91e92e75abf990bd78c

SHA1
3f42baf2404cbf9c7dd164f57fde57608e72602f

SHA256
49642a97c1359b02cdc76a8b7fabc65c62cf50ae41ea01b105ddd3c6a0ff421c

SHA512
ce0a6b14dc28f44a6775b346550853b7ec94bcf8b9a0e87298a431347e707d771b432fc9dd18877dc0784980352aa382f9d8bc41f8a750c2e6eae3df41d20bc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
b58b6f9f298e696564a9a4a7c74542b5

SHA1
d8e9606b9013592ea06d603e3acc811d6c3fc2c9

SHA256
7b2857b5038f4b576e23d21043a03a44d68d563255ca634d68f113a2e272f5e1

SHA512
c43266aa72decf40c6b5b5dbddf9defd0812ffd96e66a1e8e58069fef33402ffc58f008b1438df337637221cb1101101c926b3295d838c923cda1e7213fd81f9

Download Submit
memory/2728-34-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-35-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-65-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-64-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-59-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-55-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-53-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-52-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-49-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-47-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-43-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-58-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-46-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-42-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-94-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-95-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-73-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-76-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-77-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-91-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-84-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-82-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-71-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-70-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-39-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-41-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-40-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-36-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-0-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-32-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-33-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-28-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-29-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-2-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-5-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-1-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-3-0x00000000C0120000-0x00000000C0121000-memory.dmp

Filesize
4KB

Download
memory/2728-6-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-15-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-16-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-21-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-14-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-13-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-8-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2728-7-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download